[UNIX] libgtop_daemon Remote Format String and Buffer Overflow Vulnerabilities
From: support@securiteam.comDate: 12/08/01
- Previous message: support@securiteam.com: "[UNIX] Sendpage (Perl CGI) Remote Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 8 Dec 2001 14:17:27 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
libgtop_daemon Remote Format String and Buffer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The Laboratory intexxia found a remote exploitable format string
vulnerability in libgtop_daemon that could cause privilege escalation on a
remote system. In addition, Flavio Veloso has discovered a buffer overflow
in the libgtop_daemon that allows execution of arbitrary code.
DETAILS
Vulnerable systems:
libgtop_daemon versions prior to 1.0.12
Immune systems:
libgtop_daemon versions 1.0.13 and up
libgtop_daemon is a GNOME daemon used to monitor process running on a
remote system.
Format string:
A remote format string vulnerability exists in this daemon. The 2
functions named syslog_message() and syslog_io_message() are called with a
format string which is initialized by the client.
By sending a specially crafted format string to the server, it is possible
for a remote attacker to execute arbitrary code on the remote system with
the daemon permissions. This vulnerability could cause privilege
escalation.
The permitted() function, that verifies if the client trying to connect is
authorized to, is concerned by this flaw.
The libgtop_daemon daemon is launched with 'nobody' permissions by
default. Complete exploitation of this vulnerability will permit an
attacker to execute code with the 'nobody' permissions. However, this flaw
could be used to compromise the local system by exploiting other local
vulnerabilities.
Exploit:
Here is a proof of concept to show where the problem occurs:
Client side :
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%p%p
Connection closed by foreign host.
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%n%n
Connection closed by foreign host.
Server side :
~/# libgtop_daemon -f
' from clientn[3877]: Invalid authentication protocol
'0xbffff46c0x804b2ae
libgtop-daemon[3877]: Refused connection from 127.0.0.1.
Segmentation fault
Patch:
diff -dru libgtop-1.0.12/src/daemon/gnuserv.c
libgtop-1.0.12-patched/src/daemon/gnuserv.c
--- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001
+++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001
@@ -93,7 +93,7 @@
vsnprintf (buffer, BUFSIZ-1, format, ap);
va_end (ap);
- syslog (priority, buffer);
+ syslog (priority, "%s", buffer);
}
void
@@ -108,7 +108,7 @@
va_end (ap);
snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno));
- syslog (priority, buffer2);
+ syslog (priority, "%s", buffer2);
}
/*
Buffer overflow:
When Flavio Veloso investigated this issue, he noticed another big
security hole in the daemon. It is a buffer overflow in the same
permitted() function, which may allow the client to execute code on the
server. Here is the code:
permitted (u_long host_addr, int fd)
{
(...)
char buf[1024];
int auth_data_len;
(...)
if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
return FALSE;
auth_data_len = atoi (buf);
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) !=
auth_data_len)
return FALSE;
Example:
Here you can see the bug in action:
$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0".
("A"x2000)' | nc localhost 42800
Patch:
diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c
libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@
auth_data_len = atoi (buf);
+ if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+ syslog_message(LOG_WARNING,
+ "Invalid data length supplied by client");
+ return FALSE;
+ }
+
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) !=
auth_data_len)
return FALSE;
Official solution (for both):
libgtop_daemon release 1.0.13 has been made to correct this issue. Here is
a link where you can download it :
<ftp://ftp.gnome.org/pub/GNOME/stable/sources/libgtop/libgtop-1.0.13.tar.gz> ftp://ftp.gnome.org/pub/GNOME/stable/sources/libgtop/libgtop-1.0.13.tar.gz
ADDITIONAL INFORMATION
The information has been provided by <mailto:benoit.roussel@intexxia.com>
Beno?t Roussel and <mailto:flaviovs@magnux.com> Flavio Veloso.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Sendpage (Perl CGI) Remote Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
